[DNSOP] Re: [EXTERNAL] New Version Notification for draft-jens-7050-secure-channel-00.txt

Tommy Jensen <Jensen.Thomas@microsoft.com> Wed, 26 June 2024 05:50 UTC

Return-Path: <Jensen.Thomas@microsoft.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74220C15153C; Tue, 25 Jun 2024 22:50:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.253
X-Spam-Level:
X-Spam-Status: No, score=-7.253 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hUJK9mAQxJeL; Tue, 25 Jun 2024 22:50:26 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-bl2nam06on2138.outbound.protection.outlook.com [40.107.65.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37015C1CAE85; Tue, 25 Jun 2024 22:50:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YPimdyCrL3dVTd+h9Oai2hB418Hx7xTvulhdoZSCCyYtfPENLkdSNKwdOr1nz3DJbbWIuE4y9m/Bs0JmveM23x7BOEnvdfeQK9dP9GIlFWDrdCIvpXiI1a+F6WIsixd4o/XWVwnepzrsv+LP4T14lqArvaS6sEb86tsvEXUlo8N8r2bipUgM2oR96Y7Vf/M6twMocVUIa5DnYdHa+9CqBPTBsucxe+C23UzsKfHjcjVorrtV3c2cVz/VhY+FW0Nk7S/OiV+F6Fb1Ui7huqB9dDdNrHwOU8n6EfwVCzfKEX4CN/cDIM+AiczovZecB+Ex6sbxefi2CnyyOqbN2Qw1uQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0D5WZDmE1NRKipS1o4g53yA9lAafvwlo2UellGB+P1s=; b=c5FyHElkGwkkiEa9xEiVYzLUmFr4WiW5wj2F//Exk74dj1+usNDKPRrE//pm4oiLcverJELHqDTINv3wYBycT3Ng3dAnhP1tLh5ObmRIf6lJOlttayu9UQM//mXX9PrfoPvaDfABVOyZ7nkYXjcXS/G5fRSwbnJe89d2XR5WXOQKumRx2NmLVKkIx92vhiu3gPcxLdasqzuIStoMiLdbJufZ+/VzrjXEwdQybT5ErM7NxhiU4tih99ULkRknmi94kAnm+uQ8kUhgzYpPvlQDMjsnoYAxlZ5yZkFS4c2mPFVW/FKQ4nUxSq+sx9geJ2GIpMp9LFJRsHvKOJDqWKn6Lw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0D5WZDmE1NRKipS1o4g53yA9lAafvwlo2UellGB+P1s=; b=ampwDmV6+7y9YGFS80F6fVXlIVljKvUVfqBOqKo3I8i6nmYqzfy4l5yI87svAxwqUcuI8AV8v3Ncf3aTIVxtox0tIUUdwwfCDsGvwmb9zfV9aun2BoStsAAs2u7IYeFGWwfv2c+umS1fE4ErIqWbecWgrV5Erd48d60OFIM1bKU=
Received: from PH0PR00MB1350.namprd00.prod.outlook.com (2603:10b6:510:10f::14) by PH7PR00MB1523.namprd00.prod.outlook.com (2603:10b6:510:202::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7757.0; Wed, 26 Jun 2024 05:50:20 +0000
Received: from PH0PR00MB1350.namprd00.prod.outlook.com ([fe80::f04:b846:4ec7:c337]) by PH0PR00MB1350.namprd00.prod.outlook.com ([fe80::f04:b846:4ec7:c337%7]) with mapi id 15.20.7757.000; Wed, 26 Jun 2024 05:50:20 +0000
From: Tommy Jensen <Jensen.Thomas@microsoft.com>
To: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] New Version Notification for draft-jens-7050-secure-channel-00.txt
Thread-Index: AQHax4rooYVVma+c4E6VfxvBcAi4gbHZht6C
Date: Wed, 26 Jun 2024 05:50:20 +0000
Message-ID: <PH0PR00MB1350CE1FF1162D8C77FEE918FAD62@PH0PR00MB1350.namprd00.prod.outlook.com>
References: <171938023258.233563.15620604196859383340@dt-datatracker-5864469bc9-n5hqk>
In-Reply-To: <171938023258.233563.15620604196859383340@dt-datatracker-5864469bc9-n5hqk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2024-06-26T05:50:20.383Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH0PR00MB1350:EE_|PH7PR00MB1523:EE_
x-ms-office365-filtering-correlation-id: 19965a04-3310-4842-0968-08dc95a3dd0d
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230038|376012|366014|1800799022|38070700016;
x-microsoft-antispam-message-info: MTBMuIRgYajVOFCzM3jc5iI82TTQEYwKmbjwBQ3TbJ4X7SqQiTAawz7MYKPhP4PmRwZktfMWSTfxL4DrzZJ6J/cp1FEyoeCLoSbr0tVGve9EWXjPo+fpSNDZfENtfPiaMc6hIkx2y5V43/hdoP7ROPMX+QV++l/qy+eBn8BlFjfLP4KaSh7ICVv1IXP93UJ2cj/yxZA0Bqd+vkgryzlt+kzN1aKsbf33Woy1NF8viVxR/9UC00vDUM90mv64DeB2PGc7dOkxeqhoa/jjlSMR/DJfydlRltpcMeT9zF6W88dqCp9t19G/II4kyyBONoxprpV1AGqBKIiFpAywCUfVMqPbSXaxOkVL03tv1VmVjRqQZt+igXyQVzx8GoV3gdkykcZoh6GiidK5a2QMbONUAymVzL33j171WtcgKQDgabKjQ5KkuhbWzzpRUBhmD/jey4N7uZKX5dyDAYAnvGegsIUavhpCwQOUQFRUWqzAZziIk53firxiCAN944fZnauTa3plwi41kAWdxmCVa0BBp/rEi1KmOFJAMoiWb3q3G9AVO1UyKn8PsoYNemrgWgqGx36tkWgt0MctRIWGCv4Fxg4i2PkxUOKn3AjBNbAQmkYPRfZUO0d2qB6hFN8+Cg/goEj5Jn/BfVIyaXDy8cTU0Ml6lNs/QPdVcm3s7nVrSTLCiXo9K4H3FRmD0QC5ILCogPnr5bufOxlhYmnby0UxF1InCm3nRWBrJcSxZF+zCz8Y3Ve1blgyRnUMtQ7lFozFbDbgQaflyujE74y3wuQuHb4WutEMiEj2ORyyFVGe5ykdWlNHSD+dpyP7G0ArWavLbynLYFBWayKzQ+k7VLvq1VKYCwrdZOEUWoKFTQVBDA+96NLRFcNTpNv1XOvy0k+LNb4/YM7ksemcUReQwflh2jfsozc++hNhEYfhZifnVEutTJy0e2fo1RrSJOKR+NbIpxQ1sKLcYnLXycmECgzIXVS9D1YcJhRJHi06WlFPMzBcyjQpcqpLtsQ366hGaZJkEXXGZpcltknz2mUM5U1ShoVrC6lN0PUeVBH9Ea7XNS2vLSE6tA7Knq8dvuuroS3VNccQ/UsoofG3wv5ltCNIUa6Xd0D8yYBa+32qSwf4tuKhQ4MVfDn5bVbJNqpC1Z2zx9HFIpGUYiuaHcXu1subBtzzFZsAFrfDjlQtJQlUwnpo5K4kEmj5kjb2fCeGoIASGI5SCVrF2bFxPpblqnxYKRjHebSf3ZC0eGPnqvgT44/3ZWBct/xtImf8NKPt1CcyO3JOVKBNxC2206g/KKplAxms3QLNEqhZJ1HMQgYTsDw+5stZwsvuduuDvYhS7/9hMu5EnEiybKthXA2Vf2LxQotW+8wQu1RdgV+JkHQD9ts=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR00MB1350.namprd00.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230038)(376012)(366014)(1800799022)(38070700016);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ihc9skKB/G6ZE5skLMUMdx/tpriyX8Bi3b20jLdX8xzLLNuMJvJhuJYbDIMBJDGv4jdTDieGrTJey9s2KXGlBQhWmS+tcrJ7Jyn+/LoUYURd2ueylRCsAm/6YfZ6k3z89ASXFZInV2AVzEqtXWq+tXY2cpIiPEXvlyAm7WDqV+vlpVZT8YlMgwsGPQH2J/geM8thityM7bHBb/FqIu/d0+0l0ULgpJ2GJ7J41iMowPkiVyzthlI53a9qhG18gNScgYqht/W17bK2pWE9/BJdp60MR4IqbtDn3XECdFsbWw0J3TIvidhn7rOtM+6hbd/G758ksOv29AH7abc3zCBmKjMUVaYOZ996lr2BfddCq1GfoJRp8Ie/n2o3ZtXW5JygFjzB6ujhhv5qkUg9Pk7LEhFJxvWI9eXNSGkAqLTutGXFKPKiMxXWUUSLveqA2RibCXm7xP81LZqcc8ecsh+NaIQiqSYoqeJpLzdF4zeWVztkLf7TEHB0/rtdsfCc5SAOU+4RdngahKePj0uBtptlPIvhoIiwFmmiyZzDg+kK0XdCXPfD3AGmgpWNqALugsW6PX/0lBtgyWOLTfYTY3FLXj6W2DWRWygcAl9Kq6s93DG9ipfXo/sFEN5y6X0WejrS0IrckCwCpy1+DbMoiEXhk/2S6qRD2SEIWM/IJYsHPa0gdgcVgWnID73J42PG4LiwCaP9UHmutuCKKH06ARPop8BytO0TNuY+Xc/zxnrNE8FDdzbFwqcZod7ZyaUDF5Tsw40kPHgOhovDlffbSaj2Y9iKndBKwWqAzy9XSzOVsRl9lVtEEN+xmgI7eITNFIMvGuqeCCHuRiG87V0u5fXYC++rNXOt22km+pu6ns7xzkGpfniNgVSQAGS5L9FTUEiKFlO2IyIWmsf9glNoWaUhml5CsXVrMGIURaFLqz3xEH30WfzeXkHJUc5DQ9NCBEVRuzf2cdRIpw3fil/L5JRwXtsJ7uVMVpAFLj65jm65bjD5IbN+yPMr++MRZ4W6pNj8heiWaIwMl8Dct+G+RIWW48EOh9NnpPb/RWxdD4PwzwB+0gzI3DjNuYGlBYKxx+PZJX7HB/D3Cil7mugoOdY70nZ/glP0vWe60lVQxnIum+FibrYo16vpxFLrwvDuPKsvZd9gxdUgHD7lCgFFsNpl/eSybsm88cOBvjzyEw7k0RIVA0CPBkkJIYh5HAAeVTT0+JkkAbe/WuooPnK9yJgSROQ3DTW5XhdK5uqrqA3kW3Dqza1aCmHvQ9tjp5mwlF+3pUzW/s22iqHfTUfDTm5Y2gnrKnzYRl2aRiRJOlUiLMklbo7mOXRNfAniPQWctwTZrefXpzp4azUAixDBGAKL2YntorA3VtN4Neh/Vvp1qqbQ4PjwApm8kDLwEH4eW6Cwejpv4p3i1M+LwZ+69Q722ZToTNH669WlOCArf8asnV8WGns+kTMa5NIgvW3W2AqPOtEvI528WLdZmoGq9DwLSGHRpRYBYYd5MCGSBftormgm+QJBb/BVLzTQDuSkz2rxoyoQci2S7SxkwYlOIiGgaVp5hzKbPraLwIgWwT3SWD4D5DtOVnZCp+Ir9bSFDaCSsVGXHeuXjRGpdAspPJqVsyjsYjG/oRYw3Ba+i5TwLGc6oYEZzUJ/k2BBdY1UmU7V
Content-Type: multipart/alternative; boundary="_000_PH0PR00MB1350CE1FF1162D8C77FEE918FAD62PH0PR00MB1350namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR00MB1350.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 19965a04-3310-4842-0968-08dc95a3dd0d
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jun 2024 05:50:20.0542 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: aLzt7S0CA0P/R07A7rM0dRyWZFI8X3ML2jDhyNU0KiqKr5A+uOCppg5fUx2lMBxLUID4z0bK3A1MlmjGB2SUDA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR00MB1523
Message-ID-Hash: MAESSMCLGWPOL5ZLSTH4VQH2QE5GUN4U
X-Message-ID-Hash: MAESSMCLGWPOL5ZLSTH4VQH2QE5GUN4U
X-MailFrom: Jensen.Thomas@microsoft.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: V6 Ops List <v6ops@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [EXTERNAL] New Version Notification for draft-jens-7050-secure-channel-00.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Ss4YPHKT_qEp9Vh10OtoAPScpbY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hello dnsop and v6ops,

I've written a draft that proposes updates to RFC 7050, which defined the mechanism for discovering the network's IPv6 translation prefix using a DNS query for ipv4only.arpa. RFC 7050 also defined "secure channel" such that clients SHOULD use IPsec or similar to secure communications with the DNS64 server.

However, since 7050 was published, various encrypted DNS protocols combined with DNR (RFC 9463) allows DNS64 servers to have their encrypted DNS config directly advertised by the network and nodes can then use DoT, DoH, or DoQ to securely communicate with the DNS64 server. This text updates 7050 to recommend that approach, along with discouraging use of the previously defined DNSSEC mechanism (since the name of the resolver is now known and can be confirmed using TLS).

Given the behave WG has disbanded, Warren recommended I approach dnsop for initial discussion and include v6ops for discussion (for v6ops context: this is part of the secondary work that came out of the draft Jen and I are writing for CLAT Best Practices). I am seeking feedback on whether updating 7050 is the correct approach, and more generally, if there's interest in taking up work in the area of "revisiting how a stub resolver should secure its communication with a DNS64 resolver".

Thanks,
Tommy

P.S. I noticed I ended up with the 2119 section at the bottom... oh well, next time.

________________________________
From: internet-drafts@ietf.org <internet-drafts@ietf.org>
Sent: Tuesday, June 25, 2024 10:37 PM
To: Tommy Jensen
Subject: [EXTERNAL] New Version Notification for draft-jens-7050-secure-channel-00.txt

A new version of Internet-Draft draft-jens-7050-secure-channel-00.txt has been
successfully submitted by Tommy Jensen and posted to the
IETF repository.

Name:     draft-jens-7050-secure-channel
Revision: 00
Title:    Redefining Secure Channel for ipv4only.arpa IPv6 Prefix Discovery
Date:     2024-06-26
Group:    Individual Submission
Pages:    11
URL:      https://www.ietf.org/archive/id/draft-jens-7050-secure-channel-00.txt
Status:   https://datatracker.ietf.org/doc/draft-jens-7050-secure-channel/
HTML:     https://www.ietf.org/archive/id/draft-jens-7050-secure-channel-00.html
HTMLized: https://datatracker.ietf.org/doc/html/draft-jens-7050-secure-channel


Abstract:

   This document updates [RFC7050] to redefine the term "secure channel"
   and modify requirements for nodes and DNS64 servers to use more
   recent developments in DNS security.



The IETF Secretariat